CN117828567A - External table security access control method, device, equipment and medium - Google Patents

External table security access control method, device, equipment and medium Download PDF

Info

Publication number
CN117828567A
CN117828567A CN202311866701.9A CN202311866701A CN117828567A CN 117828567 A CN117828567 A CN 117828567A CN 202311866701 A CN202311866701 A CN 202311866701A CN 117828567 A CN117828567 A CN 117828567A
Authority
CN
China
Prior art keywords
user
data
external
external table
sql
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311866701.9A
Other languages
Chinese (zh)
Inventor
张靓云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dt Dream Technology Co Ltd
Original Assignee
Hangzhou Dt Dream Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dt Dream Technology Co Ltd filed Critical Hangzhou Dt Dream Technology Co Ltd
Priority to CN202311866701.9A priority Critical patent/CN117828567A/en
Publication of CN117828567A publication Critical patent/CN117828567A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The application provides an external table security access control method, device, equipment and medium. The method comprises the following steps: responding to the creation of an external table, acquiring a source service library and a source service library table corresponding to the external table, and storing the mapping relation between the external table and the source service library table; responding to a request sent by a user for executing SQL script related to the external table, and authenticating the user based on a security policy of a source service library table corresponding to the external table; and if the authentication is passed, submitting the SQL script to a database for execution, and returning a query result to the user after the database execution is completed.

Description

External table security access control method, device, equipment and medium
Technical Field
The present disclosure relates to the field of big data technologies, and in particular, to a method, an apparatus, a device, and a medium for controlling secure access to an external table.
Background
In a database management system, a user may be allowed to access and query data in an external data source in a database in the form of a table by defining an external table. The user does not need to copy the data of the external data source into the database, but can directly query and operate the external data in the database by establishing connection with the external data source by using SQL sentences.
However, since the data in the external table is actually in the external data source, it is often necessary to perform security policy configuration separately for the external table. When the user accesses the external table, the user permission verification and the query result data desensitization are carried out according to the security policy on the external table.
Disclosure of Invention
In view of this, the present specification provides the following methods, apparatus, devices, and media.
In a first aspect of the present application, there is provided an external table security access control method, the method comprising:
responding to the creation of an external table, acquiring a source service library and a source service library table corresponding to the external table, and storing the mapping relation between the external table and the source service library table;
responding to a request sent by a user for executing SQL script related to the external table, and authenticating the user based on a security policy of a source service library table corresponding to the external table;
and if the authentication is passed, submitting the SQL script to a database for execution, and returning a query result to the user after the database execution is completed.
In a second aspect of the present application, there is provided an external table security access control apparatus, the apparatus comprising:
the system comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is used for responding to the creation of an external table, acquiring a source service library and a source service library table corresponding to the external table and storing the mapping relation between the external table and the source service library table;
an authentication unit, configured to respond to a request sent by a user to execute an SQL script related to the external table, and authenticate the user based on a security policy of a source service library table corresponding to the external table;
and the execution unit is used for submitting the SQL script to the database for execution if the authentication is passed, and returning a query result to the user after the database execution is waited to be completed.
In a third aspect of the present application, there is provided an electronic device, including a communication interface, a processor, a memory, and a bus, where the communication interface, the processor, and the memory are connected to each other by the bus;
the memory stores machine readable instructions that the processor performs the above method by invoking the machine readable instructions.
In a fourth aspect of the present application, there is provided a machine-readable storage medium storing machine-readable instructions that, when invoked and executed by a processor, implement the above method.
The above embodiments of the present specification have at least the following advantageous effects:
according to the technical scheme, the relation between the external table and the source service table is stored, and when a user accesses the external table, the user permission is safely controlled based on the safety strategy of the source service table, so that the maintenance cost and the safety risk are reduced.
Drawings
FIG. 1 is a flow chart of an external table security access control method shown in an illustrative embodiment;
FIG. 2 is a schematic diagram of an external table security access control method, shown in an illustrative embodiment;
FIG. 3 is a hardware block diagram of an electronic device in which an external table security access control apparatus is located, as shown in an illustrative embodiment;
FIG. 4 is a block diagram of an external table security access control device, shown in an illustrative embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
In order to enable those skilled in the art to better understand the technical solutions in the embodiments of the present disclosure, a brief description of related techniques related to furniture tracing related to the embodiments of the present disclosure is provided below.
External table: external tables are a concept in database management systems (DBMS) that allow users to access and query data in the form of tables in databases from external data sources. The external data source may be other databases, text files, spreadsheets, web services, and the like. The external table allows a user to access and query external data in real time by establishing a connection with an external data source without copying the data of the external data source into the database. The external tables are similar to ordinary tables in databases, but their data is actually stored in an external data source. The database system describes the data structure and access manner in the external data source through the external table definition so that the user can directly use the SQL statement in the database to query and manipulate the external data.
SQL: the generic term Structured Query Language, structured query language, is a standard computer language for accessing and processing databases, including data insertion, query, update and deletion, database schema creation and modification, and data access control, among others.
Data authentication: data authentication is a mechanism for controlling data access and operational rights, ensuring that only authenticated and authorized users or systems can access and modify data. Data authentication is an important component of data security, and by authenticating and authorizing users and operations, unauthorized access and data leakage can be prevented.
Data desensitization: data desensitization is a technique for protecting the privacy of sensitive data, a data protection policy aimed at replacing or modifying sensitive data to prevent unauthorized access and disclosure. The goal of data desensitization is to protect sensitive information while maintaining the usability and practicality of the data.
In the related art, data in a service library is regularly extracted to a large data platform through a data integration task, and then the data is cleaned and processed. The external table can be used for directly accessing and operating the data in the service library in the large data platform through SQL, and directly carrying out data cleaning and processing.
While security control is required during the use of the external table, the prior art scheme generally configures security policies, such as user authorization, data classification and classification rules, etc., for the external table by itself. When the user accesses the external table, the user permission verification and the query result data desensitization are carried out according to the security policy on the external table.
Therefore, after the external table refers to the service library resource, the external table needs to be configured again, and when the security policy of the service library is changed, the security policy of the external table needs to be reconfigured in time, so that maintenance cost and security risk are increased.
In view of this, the present specification proposes an external table security access control method for performing security control using a security policy corresponding to a service source table when accessing an external table by storing a correspondence between the external table and the service library source table.
The following describes the present application through specific embodiments and in connection with specific application scenarios.
Referring to fig. 1, fig. 1 is a flow chart illustrating an external table security access control method according to an exemplary embodiment.
The above method may perform the steps of:
step 102: and responding to the creation of the external table, acquiring a source service library and a source service library table corresponding to the external table, and storing the mapping relation between the external table and the source service library table.
When the external table is built in the database, the information of the source service library and the source service table corresponding to the external table can be saved, and the mapping relation between the external table and the source service table is saved in the database locally.
Specifically, when the external table is built, the user needs to input the database name, the external table source service library name and the source service table name of the external table to be built. The metadata service can generate an external table definition statement according to the information input by the user, submit the external table definition statement to the formulated database for execution, and complete the creation of the external table at the database level, so that the user can access or operate the data in the external table in the database by using SQL later. The metadata service may store a mapping relationship of the external table and the source service table.
Step 104: responding to a request sent by a user for executing SQL script related to the external table, and authenticating the user based on the security policy of the source service library table corresponding to the external table.
When a user needs to access data in an external table, a request to execute a use SQL script may be initiated, which may include SQL statements relating to the external table.
The metadata service may identify SQL statements related to an external table, query a security policy configured on a source service table having a mapping relationship with the external table, authenticate a user initiating a request based on the security policy, and confirm whether the user has permission to access data in the external table.
If the user is confirmed to not have the right to access the data in the external table according to the security policy on the source service table, authentication fails, the flow is interrupted, and the SQL script requested to be executed by the user cannot be executed.
Step 106: and if the authentication is passed, submitting the SQL script to a database for execution, and returning a query result to the user after the database execution is completed.
If the user is confirmed to have the authority to access the data in the external table according to the security policy on the source service table, the authentication is successful, and the SQL script requested to be executed by the user can enter the database to be executed.
When SQL script execution is completed, the database may return the execution results.
The execution result returned to the user may also be desensitized data subjected to data desensitization according to the configured security policy, which is not specifically limited in this specification.
According to the embodiment, the relation between the external table and the source service table is stored, and when a user accesses the external table, the user permission is safely controlled based on the security policy of the source service table, so that the maintenance cost and the security risk are reduced.
When a user accesses a database, the accessed object may include only internal table data, only external table data, and may include both internal table data and external table data.
Therefore, the SQL script requested to be executed by the user can be analyzed to judge whether the SQL script needs to access the data in the external table.
In one illustrative embodiment shown in this description, when a user sends a request to execute an SQL script, the SQL script to be executed may be parsed based on an SQL parser.
Performing lexical analysis and semantic analysis on each SQL sentence to be executed in the SQL script, and judging whether an access object of the SQL sentence is an external table or not;
if the access object of the SQL sentence is an external table, inquiring a source service table corresponding to the external table, and based on the security policy of the source service table, performing authority calculation on the user, and judging whether the user has the authority for accessing the source service table.
If the user does not have the authority to access the source service table, authentication is not passed, the user cannot access the external table, and SQL sentences cannot be executed.
Authentication is passed if the user has the right to access the source service table, the user can access the external table, and the SQL statement can be executed.
For the condition that the authentication of part of SQL sentences in the SQL script is successful, only the part of the SQL sentences with successful authentication can be transmitted into a database for execution, and the part of the SQL sentences with failed authentication can be blocked.
Authentication failure information can be returned to the user to prompt the user that the user does not have the access right of the external table. The authentication failure information may also include information that those statements in the SQL script are not executed.
In addition to the external tables, there may be cases where the user has insufficient user rights to access the internal tables in the database, and cannot access the data. All data tables accessed by the user can have corresponding authentication operations.
Therefore, all the tables accessed by the user can be processed uniformly, and the data security service of the database performs user authentication according to the security policy of each table, wherein the security policy of the external table is determined according to the security policy of the corresponding source service table.
Specifically, lexical analysis and semantic analysis can be performed on the SQL script based on the SQL parser, and target fields of SQL sentence operations, a target database, a target data table and corresponding operation types of the target fields are extracted from each SQL sentence.
For example, in one embodiment, the database submitting SQL is DB1, DB2 accessed across libraries is another database instance of the same database address, and the SQL script may include several SQL statements:
select id from property;
select id,name from people;
select*from DB2.people;
insert into people select*from DB2.people;
the above SQL statements represent respectively:
querying an id field in a data table property in a database DB 1;
querying an id field and a name field in a data table scope in the database DB 1;
querying all fields in a data table scope in the data table DB 2;
all fields in the data table peple in the data table DB2 are queried and updated into the data table peple in the database DB1.
Based on the SQL statement, the information in Table 1 below can be extracted:
TABLE 1
When the target data table of the SQL sentence contains an external table, the library and table information of the external table in the extracted information can be replaced by the information of the corresponding source service library and source service table.
For example, the data table peple in the database DB1 and the data table peple in the database DB2 are external tables;
the source service library corresponding to the data table scope in the database DB1 is the database OUT1, and the source service table is the data table scope 1; the source service library corresponding to the data table scope in the database DB2 is the database OUT2, and the source service table is the data table scope 2.
Then, after replacing the information in table 1, the information in table 2 below can be obtained:
TABLE 2
After the library and the table information of the external table in the extracted information are replaced by the corresponding source service library and source service table information, authority calculation can be carried out on the user according to each target data table related in each SQL statement according to the replaced information, and an authentication result of the user is obtained.
In the above process, the external table information is replaced by the source service library table information, so that the user permission verification is performed based on the permission configuration of the source service library table, and the permission configuration of the external table is not needed.
For example, if the user has the query and update authority of the data table db1.property and the data table out1.peple 1, but does not have the query authority of the data table out2.peple 2, the authentication of the SQL statements 1 and 2 can pass, but the authentication of the SQL statements 3 and 4 can not pass.
The SQL sentences 1 and 2 can be subsequently transmitted into the database for execution, and the information that the SQL sentences 3 and 4 cannot be executed because the user does not have the query authority of the data table OUT2.
When the user authentication passes, the SQL statement is transmitted into the database to be executed, after an execution result is obtained, the returned data can be subjected to data desensitization according to a security policy, and the desensitized data is returned to the user.
For data in the external table, its security policies may also include data sensitivity policies. Similarly, the data sensitivity policy of the external table may also be determined according to the data sensitivity level in the security policy of the corresponding source service table. Different fields in the data table may have different data sensitivities, corresponding to different data sensitivity levels.
The user's permission level may be defined based on the data sensitivity level. For example, the user's permission level may be defined as follows: for data with the data sensitivity level not higher than the authority level of the user, the user can directly check the data; for data with the data sensitivity level higher than the authority level of the user, the user cannot directly view the data and only can view the data subjected to data desensitization.
The sensitivity level of the returned data after the SQL statement is executed can also be judged by adopting a mode of analyzing the SQL statement.
Specifically, the following method may be adopted:
analyzing SQL scripts executed by a user based on an SQL analyzer, performing lexical analysis and semantic analysis on the SQL scripts, and extracting target fields of the SQL sentences, a target database where the target fields are located and target data table information from each SQL sentence;
the SQL statement using the wildcards to represent the target fields can acquire the target fields by querying metadata information of the target data table.
For example, for the following SQL statement that represents the target field with wildcards:
select*from DB.table;
the SQL statement represents a query of all fields from a data table in the database DB.
The field names of all the fields of the data table can be obtained by inquiring the metadata information of the data table, and all the fields of the data table are used as target fields of the SQL statement.
And obtaining the blood edge information of the target field based on the information of the target database and the target data table where the target field is located.
For example, in one embodiment, the database submitting the SQL script is DB3, DB4 accessed across the library is another database instance of the same database address, and the SQL script may include the following SQL statements:
the SQL script executed by the user includes the following SQL statements:
select id from goods;
select id,name from staff;
select*from DB4.staff;
the above SQL statements represent respectively:
querying an id field in a data table good in the database DB 3;
querying an id field and a name field in a data table staff in the database DB 3;
querying all fields in the data table staff in the data table DB 4;
based on the SQL statement, the information in Table 3 below can be extracted:
TABLE 3 Table 3
According to the metadata information of the query data table db4.staff, the field names id, name and six of all fields are obtained.
When the target data table of the SQL sentence contains an external table, the library and table information of the external table in the extracted information can be replaced by the information of the corresponding source service library and source service table.
The extracted library name and table name can be used for inquiring whether the table is an external table or not and the corresponding relation between the external table and the service library source table, and if the table is the external table, the library and table information is replaced by the service library source table information.
For example, the source service table corresponding to data table db3.staff is data table out3.staff1; data table db4.staff the corresponding source traffic table is data table out4.staff 2.
Then, after replacing the information in table 3, the information in table 4 below can be obtained:
TABLE 4 Table 4
Based on the blood-source information extracted by the method, the data sensitivity level of the database, the data table and the field related to each SQL statement can be respectively inquired; then, inquiring the authority level of the user, and for the data with the data sensitivity level not higher than the authority level of the user, the user can directly check without data desensitization; for data with the data sensitivity level higher than the authority level of the user, the user cannot directly view the data and only can view the data subjected to data desensitization.
For example, the data sensitivity level of a portion of the target fields in SQL statement 3 is shown in Table 5 below, and the security level of the user is 8.
Store name Table name Fields Data sensitivity level
OUT4 staff2 id 5
OUT4 staff2 name 10
OUT4 staff2 sex 10
TABLE 5
In the above process, the external table information is replaced by the source service library table information, so that the user permission verification is performed based on the permission configuration of the source service library table, and the permission configuration of the external table is not needed.
Then for SQL statement 3: select from out4.Staff; the id field does not need to be desensitized, and the name field and the six field need to be desensitized according to configured desensitization rules before the user can be returned.
According to the embodiment, the relation between the external table and the source service table is stored, and when a user accesses the external table, the access authority and the data sensitivity authority of the user are safely controlled based on the security policy of the source service table, so that the maintenance cost and the security risk are reduced.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating an external table security access control method according to an exemplary embodiment.
The specific steps of the external table security access control method are described in detail below in conjunction with fig. 3.
1. A user initiates a request for creating an external table to metadata, and inputs a database, an external table name, an external table source service library and a source service table;
2. the metadata service generates an external table definition statement according to the user input information, submits the external table definition statement to a specified database for execution, and completes the creation of an external table of a database layer;
3. the metadata service stores the mapping relation between the external table and the source business library table;
4. the metadata service feeds back the information of successful creation of the external table to the user;
5. a user inputs an SQL script related to the use of an external table in a data development platform to request to execute an SQL sentence;
6. the data development platform firstly calls a data security service to authenticate a user;
7. according to the input database information and SQL script, using SQL parser to analyze the SQL script lexically and semantically, extracting library, table, field and operation type from SQL sentence;
8. inquiring whether the metadata service confirmation table is an external table or not and a mapping relation of a service library source table of the external table;
9. if the table is an external table, replacing the library and table information with service library source table information; performing authority calculation to obtain a user authentication result;
10. the data security service returns the user authentication result to the data development platform; if the user has no authority to access the resource, interrupting the flow, and prompting the user that the user has no corresponding resource authority; if the authentication is passed, continuing to execute;
11. submitting the SQL script to a database for execution, and obtaining a query result after the database execution is completed;
12. the database returns the query result to the data development platform;
13. the data development platform calls a data security service to perform data desensitization on the query result;
14. according to the input database information and SQL script, using SQL analyzer to make lexical analysis and semantic analysis on SQL script, can extract library, table, field and blood-margin information from SQL sentence;
15. inquiring whether the metadata service confirmation table is an external table or not and a mapping relation of a service library source table of the external table;
16. if the table is an external table, replacing the library and table information with service library source table information; inquiring classification and grading rules of a library, a table and a field to calculate a security effective level according to the extracted blood edge information; then, inquiring the security level of the user, and if the security level of the user is lower than the effective level of the data, performing data desensitization on the corresponding field of the result set of the data;
17. the data security service returns the desensitized data to the data development platform;
18. and the data development platform returns the desensitized data to the user.
According to the embodiment, the relation between the external table and the source service table is stored, when a user accesses the external table, the security control is performed on the access right and the sensitive data of the user based on the security policy of the source service table, the security policy is not required to be manually configured on the external table, the maintenance cost is reduced, the use of the external table takes effect immediately after the security policy of the source table is modified, the problem of inconsistent security policies is avoided, and the security risk is reduced.
Referring to fig. 3, fig. 3 is a hardware configuration diagram of an electronic device in which an external table security access control apparatus is located in an exemplary embodiment. At the hardware level, the device includes a processor 302, an internal bus 304, a network interface 306, memory 308, and non-volatile storage 310, although other hardware required for the service is possible. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 302 reading a corresponding computer program from the non-volatile storage 310 into the memory 308 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 4, fig. 4 is a block diagram of an external table security access control apparatus according to an exemplary embodiment.
The external table security access control apparatus may include:
an obtaining unit 410, configured to obtain a source service library and a source service library table corresponding to an external table in response to creating the external table, and store a mapping relationship between the external table and the source service library table;
an authentication unit 420, configured to, in response to a request sent by a user to execute an SQL script related to the external table, authenticate the user based on a security policy of a source service library table corresponding to the external table;
and the execution unit 430 is configured to submit the SQL script to the database for execution if the authentication is passed, and return a query result to the user after waiting for the database execution to be completed.
In one embodiment, the authentication unit 420 is specifically configured to:
responding to a request sent by a user for executing the SQL script, analyzing the SQL script based on an SQL analyzer, and judging whether the SQL script is the SQL script related to an external table or not;
and if the SQL script is a script related to an external table, acquiring a source service library table corresponding to the external table, and authenticating the user based on the security policy of the source service library table.
In one embodiment, the authentication unit 420 is specifically configured to:
based on an SQL (structured query language) script executed by a user, acquiring information of a target field related to the SQL script, wherein the information of the target field comprises a target database name, a target data table name, a target field list and target operation aiming at the target field;
replacing a target database name and a target data table name in information belonging to a target field of an external table in the target field with a target database name and a target data table name of a source business database table corresponding to the external table;
inquiring the user authority of the user, and judging whether the user has the authority for carrying out target operation on the target field or not based on the authority configuration of each target data table.
In one embodiment, the execution unit 430 is specifically configured to:
and data desensitization is carried out on the query result based on the security policy of the source service library table, and the desensitized data is returned to the user.
In one embodiment, the execution unit 430 is specifically configured to:
based on the SQL analyzer analyzing an SQL script executed by a user, acquiring a target field related to the SQL script and blood-source information of the target field;
based on the mapping relation between the external table and the source service library table, replacing the target field belonging to the external table with the target field in the corresponding target service source table, and updating the blood-source information of the target field;
inquiring the data sensitivity level of each target field based on the blood edge information of the target field list, and performing data desensitization on the data of the target fields with the data sensitivity level higher than the authority level of the user.
In one embodiment, the execution unit 430 is specifically configured to:
based on the SQL analyzer analyzing an SQL script executed by a user, acquiring a target field related to the SQL script; wherein, for the statement that uses wildcards to represent the target field in SQL script, the target field is obtained by inquiring metadata service;
and determining the blood margin information of the target field according to the database and the data table where the target field is located.
In one embodiment, the apparatus further comprises:
a notification unit 440 for:
if the authentication is not passed, a notification that no corresponding resource authority exists is sent to the user.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are illustrative only, in that the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the objectives of the present description solution. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article of furniture, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article of furniture, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, piece of furniture or apparatus comprising the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims (10)

1. A method for external table security access control, the method comprising:
responding to the creation of an external table, acquiring a source service library and a source service library table corresponding to the external table, and storing the mapping relation between the external table and the source service library table;
responding to a request sent by a user for executing SQL script related to the external table, and authenticating the user based on a security policy of a source service library table corresponding to the external table;
and if the authentication is passed, submitting the SQL script to a database for execution, and returning a query result to the user after the database execution is completed.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the step of responding to the request sent by the user for executing the SQL script related to the external table, authenticating the user based on the security policy of the source service library table corresponding to the external table, and comprises the following steps:
responding to a request sent by a user for executing the SQL script, analyzing the SQL script based on an SQL analyzer, and judging whether the SQL script is the SQL script related to an external table or not;
and if the SQL script is a script related to an external table, acquiring a source service library table corresponding to the external table, and authenticating the user based on the security policy of the source service library table.
3. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the authentication of the user based on the security policy of the source service table corresponding to the external table comprises the following steps:
based on an SQL (structured query language) script executed by a user, acquiring information of a target field related to the SQL script, wherein the information of the target field comprises a target database name, a target data table name, a target field list and target operation aiming at the target field;
replacing a target database name and a target data table name in information belonging to a target field of an external table in the target field with a target database name and a target data table name of a source business database table corresponding to the external table;
inquiring the user authority of the user, and judging whether the user has the authority for carrying out target operation on the target field or not based on the authority configuration of each target data table.
4. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the returning of the query result to the user comprises the following steps:
and data desensitization is carried out on the query result based on the security policy of the source service library table, and the desensitized data is returned to the user.
5. The method of claim 4, wherein the step of determining the position of the first electrode is performed,
the data desensitization of the query result based on the security policy of the source service library table comprises the following steps:
based on the SQL analyzer analyzing an SQL script executed by a user, acquiring a target field related to the SQL script and blood-source information of the target field;
based on the mapping relation between the external table and the source service library table, replacing the target field belonging to the external table with the target field in the corresponding target service source table, and updating the blood-source information of the target field;
inquiring the data sensitivity level of each target field based on the blood edge information of the target field list, and performing data desensitization on the data of the target fields with the data sensitivity level higher than the authority level of the user.
6. The method of claim 5, wherein the step of determining the position of the probe is performed,
the step of analyzing the SQL script executed by the user based on the SQL analyzer to obtain the target field related to the SQL script and the blood-source information of the target field comprises the following steps:
based on the SQL analyzer analyzing an SQL script executed by a user, acquiring a target field related to the SQL script; wherein, for the statement that uses wildcards to represent the target field in SQL script, the target field is obtained by inquiring metadata service;
and determining the blood margin information of the target field according to the database and the data table where the target field is located.
7. The method according to claim 1, wherein the method further comprises:
if the authentication is not passed, a notification that no corresponding resource authority exists is sent to the user.
8. An external table security access control apparatus, the apparatus comprising:
the system comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is used for responding to the creation of an external table, acquiring a source service library and a source service library table corresponding to the external table and storing the mapping relation between the external table and the source service library table;
an authentication unit, configured to respond to a request sent by a user to execute an SQL script related to the external table, and authenticate the user based on a security policy of a source service library table corresponding to the external table;
and the execution unit is used for submitting the SQL script to the database for execution if the authentication is passed, and returning a query result to the user after the database execution is waited to be completed.
9. A storage medium having stored thereon a computer program which, when executed, implements the steps of the method according to any of claims 1-7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1-7 when the program is executed by the processor.
CN202311866701.9A 2023-12-29 2023-12-29 External table security access control method, device, equipment and medium Pending CN117828567A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311866701.9A CN117828567A (en) 2023-12-29 2023-12-29 External table security access control method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311866701.9A CN117828567A (en) 2023-12-29 2023-12-29 External table security access control method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN117828567A true CN117828567A (en) 2024-04-05

Family

ID=90518653

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311866701.9A Pending CN117828567A (en) 2023-12-29 2023-12-29 External table security access control method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN117828567A (en)

Similar Documents

Publication Publication Date Title
KR101120814B1 (en) Systems and methods that optimize row level database security
US10614248B2 (en) Privacy preserving cross-organizational data sharing with anonymization filters
US10210266B2 (en) Database query processing on encrypted data
US8983985B2 (en) Masking sensitive data of table columns retrieved from a database
US10438008B2 (en) Row level security
CN108874863B (en) Data access control method and database access device
US10404757B1 (en) Privacy enforcement in the storage and access of data in computer systems
US9224007B2 (en) Search engine with privacy protection
US20230004672A1 (en) Secure data point matching in a multiple tenant database system
US7711750B1 (en) Systems and methods that specify row level database security
US20220100899A1 (en) Protecting sensitive data in documents
US20190205869A1 (en) Anonymization of data fields in transactions
US11281794B2 (en) Fine grained access control on procedural language for databases based on accessed resources
US11416631B2 (en) Dynamic monitoring of movement of data
US11934551B2 (en) Processing per-use requests for user data
US10764253B2 (en) System for using metadata to identify and extract specific upstream data, provisioning data batches, and providing dynamic downstream data access
CN117828567A (en) External table security access control method, device, equipment and medium
Deshpande et al. The Mask of ZoRRo: preventing information leakage from documents
CN114238273A (en) Database management method, device, equipment and storage medium
Pereira et al. Distributed and typed role-based access control mechanisms driven by CRUD expressions
US20220353298A1 (en) Embedded and distributable policy enforcement
CN112182023B (en) Big data access control method and device, electronic equipment and storage medium
US20240193294A1 (en) Automated pre-commit scan of application code for privacy protected data accesses
US20230315750A1 (en) Restriction-compliant data replication
Oudejans et al. QOMPLIANCE: Declarative Data-Centric Policy Compliance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination